---
title: "Authentication"
description: "How to authenticate with Dravo: API keys for the public API, dashboard JWT, live and test environments."
section: "Getting started"
url: https://dravo.dev/docs/authentication
---
# Authentication

Dravo accepts two kinds of credentials. Most integrations only ever need an API
key.

## API keys

Create API keys in the dashboard (Keys). The full secret is shown once at
creation, then only a short prefix is stored for display. Send the key as a
Bearer token on every request:

```bash
curl https://api.dravo.dev/v1/accounts \
  -H "Authorization: Bearer dra_live_8f2c..."
```

Keep keys server side. Revoke a key any time from the dashboard or with
[`DELETE /v1/api-keys/{key_id}`](/docs/api/api-keys); revocation takes effect
immediately.

## Live and test environments

Every key is bound to an environment, visible in its prefix:

| Prefix | Environment | Use it for |
| --- | --- | --- |
| `dra_live_` | live | Real delivery to real accounts. |
| `dra_test_` | test | Development and integration testing. |

## Dashboard JWT

The dashboard authenticates with a Supabase JWT (ES256), verified locally
against the project JWKS. You normally do not handle this token yourself; it is
used by the web app. The public API endpoints accept either a JWT or an API key,
so anything you can do from the dashboard you can also do with a key.

## Which auth does each endpoint use

Dravo has two access levels:

- Public API (JWT or API key): publish, accounts and media. These are the
  endpoints an integration or agent calls.
- Dashboard only (JWT): account management surfaces such as API keys, billing,
  stats, webhook configuration and the interactive OAuth flow.

Each page in the [API reference](/docs/api/publish) states the auth it requires
in its `Auth` line.